If you are feeling a little limited in information about Windows 2008, check out the following featured components:
· AD DS: Restartable Active Directory Domain Services
Windows 2008 introduced new capabilities to start or stop directory services running on a domain controller without having to shut it down, allowing administrators to perform maintenance (offline defragmentation, security updates ,etc..) or recovery on the AD database without having to reboot into Directory Services Restore Mode
Click Me
· AD DS: Fine-Grained Password Policies
One very significant change with Windows 2008 AD DS is the ability to implement granular password polices in a single domain. Fine-grained password polices always win over domain password policy and they can be applied to groups or users. For fine-grained password polices to be implemented, all DCs must be running windows 2008 and the domain must in windows 2008 functional mode.
Click Me
· AD DS: Auditing
In Microsoft® Windows® 2000 Server and Windows Server 2003, Active Directory audit logs can show you who made changes to what object attributes, but the events do not display the old and new values. In Windows Server 2008 you can now set up AD DS auditing with a new audit subcategory (Directory Service Changes) to log old and new values when changes are made to objects and their attributes.
Click Me
· AD DS: Read-Only Domain Controllers (RODC)
Windows 2008 includes the ability to deploy domain controllers that hosts read-only partitions of the Active Directory® Domain Services (AD DS) database. To deploy an RODC, at least one writable domain controller in the domain must be running Windows Server 2008. In addition, the functional level for the domain and forest must be Windows Server 2003 or higher.
Click Me
· AD DS: Database Mounting Tool (Dsamain)
The active directory database mount tool (Dsamain.exe) is a command line tool that allows administrators to view snapshots of data within an AD DS database (can be used with AD Lightweight Directory Services databases also). The tool can improve recovery processes for your organization by providing means to compare data as it exists in snapshots or backups that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain.
Click Me
Hi All,
I have started collecting a list of whitepapers based upon virtualisation of domain controllers and services, I just figured that you may find these of use!
KB897615 Support policy for Microsoft software running in non-Microsoft hardware virtualization software
http://support.microsoft.com/default.aspx?scid=kb;EN-US;897615
KB: 897613 Microsoft Virtual Server support policy
http://www.support.microsoft.com/kb/897613
KB: 897614 Windows Server System software not supported within a Microsoft Virtual Server environment
http://www.support.microsoft.com/kb/897614
KB888794 Considerations when hosting Active Directory domain controller in virtual hosting environments
http://support.microsoft.com/default.aspx?scid=kb;EN-US;888794
KB320220 Support policy for Exchange Server 2003 running on hardware virtualization software
http://support.microsoft.com/default.aspx?scid=kb;EN-US;320220
KB909840 Hardware virtualization support for SharePoint products and technologies
http://support.microsoft.com/default.aspx?scid=kb;EN-US;909840
KB953797 Time Synchronization issue in Windows Server 2003 systems running as VMware Guests
http://support.microsoft.com/default.aspx?scid=kb;EN-US;953797
KB888746 You may experience time-related issues with programs that run in a virtual machine in Virtual Server 2005
http://support.microsoft.com/default.aspx?scid=kb;EN-US;888746
KB887727 Time synchronization settings in Virtual Server 2005
http://support.microsoft.com/default.aspx?scid=kb;EN-US;887727
KBVMware Time Sync and Windows Time Service
http://kb.vmware.com/selfservice/viewContent.do?language=en_US&externalId=1318
KB888794 Considerations when hosting Active Directory domain controller in virtual hosting environments
http://support.microsoft.com/default.aspx?scid=kb;EN-US;888794
Running Domain Controllers in Virtual Server 2005
http://www.microsoft.com/downloads/details.aspx?familyid=64db845d-f7a3-4209-8ed2-e261a117fc6b&displaylang=en
For pre-deployment of virtualized DCs, you can try the MAP 3.0 tool at;
www.microsoft.com/map
Hi all,
I manage a local schools infrastructure in my spare time and they had this strange little issue:
After a power outage, the information store on my Exchange 07 SP1 server (running Windows 2008) would not start. All other services were running ok and running the following command:
SC Query MSExchangeIS
I could see the following:
State : 0 Stopped
Win32_Exit_Code : 1066 (0x42a)
Service_Exit_Code : 0 (0x0)
Checkpoint : (0x0)
Wait_Hint : (0x0)
I did some research and it appeared that it may have been AV orientated, so I went into the following registry key:
The key is HKEY_LOCAL_MACHINE\SYSTEM\Current Control Set\Services\MSExchangeIS\VirusScan\Enabled
Current value 1 changed to 0
This allowed the service to start and all email was fine.
I have now re-installed my AV and it all appears to be back to normal and the enabled is now back at 1.
Very interesting!
Hi All,
I had a question today that I wanted to get to the bottom of, it is an old question but as I obviously forgot the answer in detail, I had to find it. :)
The queston was "How can I tell if a connection object is manual or not?"
The first obvious place to look is the name, if it is called <automatically Generated> then it is KCC generated and therefor automatic. If it is manual, then it should be easy to tell because most sane people would call them something else. If not, then how can you tell?
Well, the way to do it is using ADSI edit, via the configuration NC, from here go into sites, <site name>, Servers, <server name>, NTDS Settings, and then the properties of the connection object. In here check out the options attribute on the connection object. Now comes the tricky part:
If this value ( value BITWISE-AND 1) equals 1, the KCC owns the connection. If you modify a KCC-generated connection, the options value changes. If you create a new connection object, the value of the options attribute is set to 0."
I hope this helps someone else..
Hi all,
I have installed a Windows 2008 server into my Windows 2003 domain, I then enabled RDP on my Windows 2008 server verified that I could connect from my Vista client on the network. While working from home, I quickly found out that I could not RDP onto my Windows 2008 server from my 2003/XP clients. Very annoying.
The reason for this is that when I enabled RDP on the 2008 servers, I selected "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)" Thinking that it was not a problem as I would only manage the server using Vista.
The problem was that when I took my laptop home, I was only left with 2003 and XP clients to manage the new 2008 servers. doh!
This setting means that the server requires Network Level Authentication that is only currently installed on Windows Vista or Windows sevrer 2008. You can verify that your RDP client does not support NLA, simply by running MSTSC, then on the top left hand corner, click about and then in the text you should see the section "Network Level Authentication not supported"
In this case, if you still want to RDP to the Windows 2008 server and you do not have a Vista/2008 server, then you can change the Userauthentication value to 0. This setting enables legacy support for Windows 2008 by disabling the requirement for NLA.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp
Data Type: DWORD
Value Name: UserAuthentication
Value: 1
Now you should be able to RDP to a WIndows 2008\Vista host.
I hope this helps! it helped me.
This month I have been setting up my first Windows 2008 core server to go into a production environment. It has been a very interesting experience as I was expecting a straight forward process but ran into a few challenges. What with some vendor specific hardware and a bizarre WSUS issue, I have certainly had some fun.
Therefore I thought that I would share with you my cheat sheet that has a few basic commands that got me through this build and some commands seemed to be harder to find than expected. Now they are in no particular order from a technical point but are in the order that I found them/needed them. J
Set the computer name
Netdom computername [origcomputername] /add Core.contoso.com
Netdom computername [origcomputername] /makeprimary core.contoso.com
Configure IP address
Netsh int ipv4 set address “Local Area Connection” static 192.168.1.200 255.255.255.0 192.168.1.1
Netsh int ipv4 set address “Local Area Connection” source=dhcp
Netsh int ipv4 set dnsserver “Local Area Connection” static 192.168.1.200 primary
Netsh int ipv4 set winsserver “Local Area Connection” static 192.168.1.200 primary
Change the name of the network interface
Netsh int set interface name = “Local Area Connection” newname = “LAN”
Manage Firewall
Netsh firewall set opmode enable
Netsh firewall set opmode disable
Enable Remote Administration
Netsh firewall set service remoteadmin enable
To set up the registry for remote admin
Cscript C:\Windows\System32\ Scregedit.wsf /ar 0
If you are using an older version of TS client, then you need to drop the security levels on core
cscript C:\Windows\System32\Scregedit.wsf /cs 0
To enable automatic updates
cscript C:\Windows\System32\Scregedit.wsf /AU 4
To use the Disk Management MMC snap-in remotely
Net start vds
To view main hardware/software details of core
Systeminfo.exe
Reset the administrator password
Net use administrator *
To activate the server
Slmgr.vbs –ato
To join the domain
Netdom join <computer name. /domain:<domainname> /userd:<username> /password:<password>
Restart core
Shutdown /r
To remotely find out if this server a core build using WMI
wmic path win32_operatingsystem get OperatingSystemSKU /value
To list installed drivers:
Sc query type= driver
Installing a driver that is not included:
Copy the driver files to Server Core
Pnputil –i –a <path>\<driver>.inf
List of installed patches:
wmic qfe list
Hopefully you will find this useful too :)
If you have ever run into an issue where you have set up a server but forgot to put the tick in the box to enable remote desktop, then read on!
Many times I have done this and then had to go all the way over to the server (sometimes in different offices) to enable it.. if only I had known!
Just connect to the remote registry of the server in question and head to
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
Under the Terminal Server key, you'll find a REG_DWORD value named fDenyTSConnection. Double-click on that value to open the Edit DWORD Value box and change the value data from 1 (Remote Desktop disabled) to 0 (Remote Desktop enabled)
Easy when you know how!
If you are trying to perform a manual offline update to the MBSA tool but can't find the latest version of the database on the internet (as I struggled too), just click on the following link and download it.
http://go.microsoft.com/fwlink/?LinkID=74689
I came across this today and figured that you may all want to hear about it.
Are you a registered student? do you want to start demonstrating your programming skills but can't afford products like XNA game studio or Visual Studio.. Well look no further, Microsoft are now giving the stuff away.
Check out http://www.microsoft.com/Presspass/press/2008/feb08/02-18GSDPR.mspx?rss_fdn=Press%20Releases
Hi all,
Ever wanted a change in decor in your house? rather than boring old patterned wallpaper, what about getting some great posters with core components of specific technologies to put in their place... amaze your friends, impress your spouse.. check out the technical posters from Microsoft. :)
Microsoft have created a "Book of Longhorn" that covers all the changes in functionality from Windows Server 2003 with SP1 to Windows Server 2008. I really recommend having a look at this one...
http://www.microsoft.com/downloads/details.aspx?familyid=173E6E9B-4D3E-4FD4-A2CF-73684FA46B60&displaylang=en
Well, this is an interesting subject, as many of you know there is not an MCSE for the Windows 2008 family and it has been replaced with a new exciting qualification. So, Let’s have a look at some of the new details,
We have four new(ish) qualifications that we could aim for, namely the Microsoft Certified Technology Specialist, Microsoft Certified IT Professional, Microsoft Certified Professional Developer and the Microsoft Certified Architect. This blog article will focus on the Technology specialist and IT pro certifications.
Microsoft Certified Technology Specialist
The Microsoft Certified Technology Specialist will consist of 1-3 exams (Generally one exam with exceptions) that focus on a specific technology, so therefore you could say that you are a MCTS in Exchange, ISA or whatever specific technology or technologies that they want to focus on.
These exams will also expire when the technology falls out of mainstream support, the exam remain on your transcript until the support is completely finished and then it will be removed from your transcript automatically.
Microsoft Certified IT Professional
There are now two MCITP certifications:- Microsoft Certified IT Professional Server Administrator (MCITP-SA) and Microsoft Certified IT Professional Enterprise Administrator (MCITP-EA). These two main paths are stand alone certifications and will typically be valid for three years.
Many people will look at it the new qualifications as a direct replacement for the MCSA and the MCSE, but we actually started over with the job roles and the objective domains (what the exams cover) is a different set of skills in the new MCITP, than were in MCSA and MCSE. Server Administrator covers much more operations than did MCSA.
Enterprise Admin is based on an actual job role profile where the MCSE certification was not - it combined technical skills with some job skills included. The simplest way of positioning these are that the server administrator’s job responsibility would be one of master operator, whereas, the enterprise administrator’s job responsibility would be more like a designer.
In the Past the MCSA was a subset of MCSE however the new Enterprise Administrator certification does not encompass the components of the new Server Administrator. EA is focused on design and SA is focused on operations so therefore, if you earn the EA, you do NOT automatically earn your SA. You need to complete the requirements for both, if you want to earn both.
If you are a current MCSE/MCSA 2003, we already provide an upgrade path to maintain the customer’s investment in the previous programs, but that is where the MCSE path stops and a new pathway commences. The current MCSE program will continue to exist for Legacy operating systems so there is no fear that your current MCSE 2000 or MCSE 2003 no longer exist. It is expected that this will continue on for a long while yet.
So where do you go from here, well let’s have a look:
Current MCSA 2003, wanting to move to 2008
If you are a current MCSA and would like to upgrade to the closest equivalent in Windows 2008, then you will need to:
Sit the upgrade exam 70-648, which will effectively earn you 2 MCTS certifications:
· Windows Server 2008 Active Directory Configuration
· Windows Server 2008 Networking Infrastructure Configuration
If you want to be accredited with the 2008 MCITP – Server Administrator Qualification, then you need to sit one more exam which is 70-646 (Server Admin).
If you want to be accredited with the 2008 MCITP – Enterprise Administrator Qualification, then you need to sit three more exams:
· 70-643 (Windows Server 2008 Application Infrastructure Configuration)
§ 70-620 (TS: Configuring Microsoft Windows Vista Client) or 70-624 (TS: Deploying and Maintaining Windows Vista Client and 2007 Microsoft Office System Desktops)
§ 70-647 (Enterprise Admin)
Current MCSE 2003, wanting to move to 2008
If you are a current MCSE and would like to upgrade to the closest equivalent in Windows 2008, then you will need to:
Sit the upgrade exam 70-649, which will effectively earn you 3 MCTS certifications:
· Windows Server 2008 Active Directory Configuration
· Windows Server 2008 Networking Infrastructure Configuration
· Windows Server 2008 Application Infrastructure Configuration
If you want to be accredited with the 2008 MCITP – Server Administrator Qualification, then you need to sit one more exam which is 70-646 (Server Admin).
If you want to be accredited with the 2008 MCITP – Enterprise Administrator Qualification, then you need to sit two more exams:
§ 70-620 (TS: Configuring Microsoft Windows Vista Client) or 70-624 (TS: Deploying and Maintaining Windows Vista Client and 2007 Microsoft Office System Desktops)
§ 70-647 (Enterprise Admin)
*NOTE: It is important to realise that you do not need to reach the job role of Server Administrator/Enterprise administrator if you job does not require it.
Complete the whole 2008 MCITP- Server Administrator certification from scratch
If you want to start from scratch and go through the whole certification path, then you will need to sit the following:
§ 70-642: TS: Windows Server 2008 Network Infrastructure Configuration
§ 70-640: TS: Windows Server 2008 Active Directory Configuration
§ 70-646: Pro: Server Administrator
Complete the whole 2008 MCITP- Enterprise Administrator certification from scratch
If you want to start from scratch and go through the whole certification path, then you will need to sit the following:
§ 70-620 (TS: Configuring Microsoft Windows Vista Client) or 70-624 (TS: Deploying and Maintaining Windows Vista Client and 2007 Microsoft Office System Desktops)
§ 70-643: TS: Windows Server 2008 Applications Infrastructure, Configuration
§ 70-642: TS: Windows Server 2008 Network Infrastructure Configuration
§ 70-640: TS: Windows Server 2008 Active Directory Configuring
§ 70-647: Pro: Windows Server 2008 Enterprise Administrator
NOTE: All of the MCTS exams are targeted for 30 days after RTM of Windows Server 2008 and the Role based exams are targeted for 60 days after RTM of Windows Server 2008.
Courses that are available for MCTS
To obtain the MCTS qualification, there are a number of courses available to help prepare you towards the exam, these are as follows:
· Introducing Windows Server 2008 First Look Clinic/Hands on Labs
· 6400A/6401A: First Look: Getting Started with Centralized Application Access in Windows Server 2008
· 6402A/6403A: First Look: Getting Started with Branch Office Management in Windows Server 2008
· 6404A/6405A: First Look: Getting Started with High Availability in Windows Server 2008
· 6406A/6407A: First Look: Getting Started with Security and Policy Control in Windows Server 2008
· 6408A/6409A: First Look: Getting Started with Server Management in Windows Server 2008
· 6410A/6411A: First Look: Getting Started with Server Virtualization in Windows Server 2008
· 6412A/6413A: First Look: Getting Started with Web and Applications Platform Technologies in Windows Server 2008
Course that are available for MCTS that are Windows 2008 Focused
· 6430A/AL: Managing and Maintaining Windows Server 2008 Servers
· 6435A: Designing a Windows Server 2008 Network Infrastructure
· 6436A: Designing a Windows Server 2008 Active Directory Infrastructure and Services
· 6437A: Designing a Windows Server 2008 Applications Platform Infrastructure
· 6421A/AL: Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure
· 6425A/AL: Configuring Windows Server 2008 Active Directory Domain Services
· 6426A/AL: Configuring Identity and Access Solutions with Windows Server 2008 AD
· 6427A: Configuring and Troubleshooting Internet Information Services in Windows Server 2008
· 6428A: Configuring Windows Server 2008 Terminal Services
NOTE: The above two course lists are not extensive and are subject to change
Some just might say that security has gone mad these days, gone are the times when we only used firewalls to protect our internal network infrastructure from external attack. Certainly I now see many of our customers deploying internal firewalls to protect their sites but at the same time, cause poor old Active Directory some challenges.
Therefore with this ever growing popularity I figured it would be nice to have the main ports required to be open listed on a simple table. As one customer seemed to like it, I thought I may as well give it to you all. You never know if you will need it.
|
Possible Rule name |
Description |
Port |
Path |
|
Active Directory Domain Controller - LDAP (TCP-In) |
Inbound rule for the Active Directory Domain Controller service to allow remote LDAP traffic. (TCP 389) |
389 |
%systemroot%\System32\lsass.exe |
|
Active Directory Domain Controller - LDAP (UDP-In) |
Inbound rule for the Active Directory Domain Controller service to allow remote LDAP traffic. (UDP 389) |
|